WEB how DO you secure a web app?

ok so the last few interviews i've had i was always stumped when asked about security. just blank. i know completely nothing. i have another interview coming up tomorrow and i am totally not confident about it that i dont even feel like going. i dont wanna go and make a fool out of myself, again, when asked about security.
ive googled a few articles and most of them are filled with too many jargons for me to care about, or are just hard for me to understand. ive also read a couple of books and so far the most important thing ive learned is to Filter Input, Escape Output. thats all.
if someone can help me out, could u please list maybe 5 of the biggest issues in web application securities? just a summary of what the problem is, and how to handle it?

thank you very much. do u mind elaborating on checking POST and GET authenticity? and about Sessions, i know a bit about session hijacking. how would you prevent that, besides generating a new sessionID everytime a user loads a page?

thank you very much. do u mind elaborating on checking POST and GET authenticity? and about Sessions, i know a bit about session hijacking. how would you prevent that, besides generating a new sessionID everytime a user loads a page?

thanks agian

Click to expand...

POST variables are variables sent from a form. GET variables are variables that are passed via URL. Checking the authenticity of these variables means to make sure these variables are being sent from your server, not manually inputed in the browser by some random user, or sent by a form the user created on his own computer. Also limiting input of these variables would be ideal as well so you force the user to submit data that only you want submitted.

As far as SESSION goes, you really have to limit the data you want to be accessed as a SESSION variable. For example, if you have an application that loads a user profile, you shouldn't need to make every variable a session variable to be accessed a cross the website. SESSION variables should be limited as much as possible. You eventually lose control over your application if all you're constantly passing SESSION vars anyway. A useful method to prevent SESSION hijacking would be to write a security function that will check that the referrer was sent from your site, rather than from some other site or the user.

There are some frameworks that assign a unique key every time a user hits a website and a session is created. So, whenever a new user comes to the website and has successfully hi-jacked or attempted to hi-jack a session, a new key will be identified to that user but it the system won't allow the user to authenticate because the session doesn't match the unique ID.

Always use a framework. Good programmers write good code, while great programmers reuse the code written by good programmers.

if any of you would pick ONE security issue that would concern you most, what would you say?

Click to expand...

#1 would be user input. It is the one thing that is mostly responsible for website attacks on the web application end. User input can dictate a lot of things -- SQL injection attacks, XSS attacks, variable access/modification attacks, and so on.

Since that topic is so broad, more specifically, SQL injection. More so because SQL is an easy language to learn and accomplishing a SQL injection attack through a web form is easy if you know it and if you know how the programming language behind the data processing works. Most commonly used language is PHP to implement the database query methods, and as we all know PHP is a loosely typed language so it's easy for a lot of newbies to understand, but because PHP is a loosely typed syntax language people tend to learn bad practices off many of the tutorials available on the web.

When most newbies discover a a flaw in their code and realize how easy it was to exploit, the first thing a lot of them do is go to random websites and test it out to see if they can accomplish a successful attack.

You should think of user input and security on every form that you write. I say use a framework because a lot of existing frameworks have a lot of this security built into them.